Add the ability to send a custom EDL authentication signature for Xiaomi devices

[David112x]

I looked into how the process of sending the EDL authentication signature to a Xiaomi device works, and it works like this:

• First, an XML file is sent to the device, this XML file lets the device know that it's about to receive the signature, the XML file looks like this:
  <?xml version="1.0" ?><data><sig TargetName="sig" verbose="1" size_in_bytes="256" /></data>
• The device replies with:
  
• Then the signature is sent to the device, not inside an XML file no, rather the signature itself is sent directly to the device, after sending that response and "size_in_bytes" lets EDL know how much the signature is in size, so it'll know what to expect after sending that response.

The way this could work is that the user gets a hex editor and writes the signature's hex data to a file, not in plain text no, but to the file, for example:

The signature above is a leaked signature that seems to work in all Xiaomi SM8150 devices, this may also include all Xiaomi SM7150 devices (I tested it on my Poco X3 NFC and it worked) but more testing is required, as there are 3 signatures and it isn't known which of them work for specific SoCs, what is known is that one of those 3 keys work on the following SoCs:

• SD 636
• SD 680
• SD 845
• SD 855
• SD 860
• SD 870

One key may work on, say for example, SD 855, SD 845 and 636, while it may not work in the others and require a different key out of the 3.

So the way this new feature could work is that the tool is launched with the following command arguments
edl auth --signature=<path/to/signature>

The tool does it's usual stuff, then it sends the command for authentication, aka the XML file with "sig", waits for the device to send ACK and if the device sends ACK, then continue, but if it says NAK, error out and check if it had a "log value", if it continues, it writes the signature file directly to the device's COM port, after that, it listens in to check for response's value, if it's ACK, it means that EDL is authenticated, but it's NAK, then it means that authentication failed and that this could be due to a "signature verification error", maybe there are more errors, however, these are yet to be documented.

The reason why I think it should focus on the response value is because I don't think it would be a great idea to hardcode the string that the device sends when EDL is authenticated or when it fails, the log value's string could be different.

This is how my Poco X3 NFC responds to the signature that I took a screenshot of.

[Dinolek]

Signature here is RSA2048 encrypted, pub key is in the firehose loader.
It decrypts to:

0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00

Signature currently used in this repo decrypts to:

0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00516c4a4f5256566e5358565253544a73636a6872553164445133453164574d335a6e706f52773d3d

This works because token is 0(at least in my firehose), before requesting it(TargetName="req") and there is no check.
I have successfully tested it on Poco F2 Pro(sm8250).

[David112x]

It seems that it works the same way in my Poco X3 NFC as well, given that I attempted going through the entire auth process (requesting the token/blob and then sending this signature and yet it would fail.

[team-orangeBlue]

Is it time to make lookup charts for devices with broken PBL code?

[David112x]

The 3 signatures that I mentioned earlier were released with a chinese tool that took advantage of the BFF (Batch Framework for Flashing), though it had a modified version of this framework in order to be able to use EDL and authentication, either by those signatures or an user-provided signature.

[David112x]

I've been testing a few ideas for sending the custom signature over to the phone and there's a "Xiaomi" module that contains a function for attempting EDL authentication with a signature that's hardcoded into the tool, I made it so that I could enter the path to my own signature instead of hard coding it in.

This is the code responsible for checking the device's response after sending the signature if I'm not mistaken.

Traceback (most recent call last):
  File "/home/david/edl/./edl", line 393, in <module>
    base.run()
  File "/home/david/edl/./edl", line 384, in run
    if fh.connect(sahara):
       ^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/firehose_client.py", line 114, in connect
    if self.firehose.configure(0):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/firehose.py", line 917, in configure
    if self.modules.edlauth():
       ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/Modules/init.py", line 87, in edlauth
    return self.xiaomi.edl_auth()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/Modules/xiaomi.py", line 50, in edl_auth
    if "value" in rsp.resp:
       ^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'bool' is not iterable

That doesn't mean authentication is unsuccessful though, because it does go through and then I was able to send other commands.

[David112x]

This is a screenshot of the output of the command edl getstorageinfo --debugmode on my Poco X3 NFC:

This is how it looks like to use the same command without --debugmode:

I don't think it's normal for it to not output anything like this and keep in mind that I executed the "edl" that was installed in my system, not the local one in the current directory, otherwise it would've been something like ./edl.

[David112x]

Traceback (most recent call last):
  File "/home/david/edl/./edl", line 393, in <module>
    base.run()
  File "/home/david/edl/./edl", line 384, in run
    if fh.connect(sahara):
       ^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/firehose_client.py", line 114, in connect
    if self.firehose.configure(0):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/firehose.py", line 917, in configure
    if self.modules.edlauth():
       ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/Modules/init.py", line 87, in edlauth
    return self.xiaomi.edl_auth()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/david/edl/edlclient/Library/Modules/xiaomi.py", line 50, in edl_auth
    if "value" in rsp.resp:
       ^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'bool' is not iterable

With the help of commit 9c9c489: Fix xiaomi edl auth check

I was able to get authentication to work properly with custom signatures and the one that was hard coded into the tool

[team-orangeBlue]

Tested on a redmi note 10 pro. Bought in June of 2021.
Both signatures rejected

Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2024.
main - Using loader /home/ubuntu/Downloads/sweet_edl_files/prog_ufs_firehose_sm7150_ddr.elf ...
main - Waiting for the device
main - Device detected :)
sahara - Protocol version: 2, Version supported: 1
main - Mode detected: sahara
sahara - 
Version 0x2
------------------------
HWID:              0x000e60e100720000 (MSM_ID:0x000e60e1,OEM_ID:0x0072,MODEL_ID:0x0000)
CPU detected:      "SM7150"
PK_HASH:           0x1bebe3863a6781db4b01086063007334de9e5ca14971c7c4f4358ec9d79cda4692ce5e948c6fd409408f4c919fcadfe3
Serial:            0x179247ff

sahara - Protocol version: 2, Version supported: 1
sahara - Uploading loader /home/ubuntu/Downloads/sweet_edl_files/prog_ufs_firehose_sm7150_ddr.elf ...
sahara - 64-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.
main - Trying to connect to firehose loader ...
firehose - INFO: ufs: SKhynix
firehose - INFO: Binary build date: Feb  5 2021 @ 22:36:20
firehose - INFO: Binary build date: Feb  5 2021 @ 22:36:20 
firehose - INFO: Chip serial num: 395462655 (0x179247ff)
firehose - INFO: Supported Functions (14):
firehose - INFO: program
firehose - INFO: read
firehose - INFO: nop
firehose - INFO: patch
firehose - INFO: configure
firehose - INFO: setbootablestoragedrive
firehose - INFO: erase
firehose - INFO: power
firehose - INFO: firmwarewrite
firehose - INFO: getstorageinfo
firehose - INFO: benchmark
firehose - INFO: emmc
firehose - INFO: ufs
firehose - INFO: fixgpt
firehose - INFO: End of supported functions 14
firehose_client
firehose_client - [LIB]: No --memory option set, we assume "UFS" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
firehose - Xiaomi EDL Auth detected.
Requesting auth
Sending signature
Sent k246jlc8rQfBZ2RLYSF4Ndha1P3bfYQKK3IlQy/NoTp8GSz6l57RZRfmlwsbB99sUW/sgfaWj89//dvDl6Fiwso+XXYSSqF2nxshZLObdpMLTMZ1GffzOYd2d/ToryWChoK8v05ZOlfn4wUyaZJT4LHMXZ0NVUryvUbVbxjW5SkLpKDKwkMfnxnEwaOddmT/q0ip4RpVk4aBmDW4TfVnXnDSX9tRI+ewQP4hEI8K5tfZ0mfyycYa0FTGhJPcTTP3TQzy1Krc1DAVLbZ8IqGBrW13YWN/cMvaiEzcETNyA4N3kOaEXKWodnkwucJv2nEnJWTKNHY9NS9f5Cq3OPs4pQ==
No reply for signature
Requesting auth
Sending signature
Sent vzXWATo51hZr4Dh+a5sA/Q4JYoP4Ee3oFZSGbPZ2tBsaMupn+6tPbZDkXJRLUzAqHaMtlPMKaOHrEWZysCkgCJqpOPkUZNaSbEKpPQ6uiOVJpJwA/PmxuJ72inzSPevriMAdhQrNUqgyu4ATTEsOKnoUIuJTDBmzCeuh/34SOjTdO4Pc+s3ORfMD0TX+WImeUx4c9xVdSL/xirPl/BouhfuwFd4qPPyO5RqkU/fevEoJWGHaFjfI302c9k7EpfRUhq1z+wNpZblOHuj0B3/7VOkK8KtSvwLkmVF/t9ECiry6G5iVGEOyqMlktNlIAbr2MMYXn6b4Y3GDCkhPJ5LUkQ==
No reply for signature
Requesting auth
Sending signature
Sent k246jlc8rQfBZ2RLYSF4Ndha1P3bfYQKK3IlQy/NoTp8GSz6l57RZRfmlwsbB99sUW/sgfaWj89//dvDl6Fiwso+XXYSSqF2nxshZLObdpMLTMZ1GffzOYd2d/ToryWChoK8v05ZYAAAEQUyaZJT4LHMXZ0NVUryvUbVbxjW5SkLpKDKwkMfnxnEwaOddmT/q0ip4RpVk4aBmDW4TfVnXnDSX9tRI+ewQP4hEI8K5tfZ0mfyycYa0FTGhJPcTTP3TQzy1Krc1DAVLbZ8IqGBrW13YWN/cMvaiEzcETNyA4N3kOaEXKWodnkwucJv2nEnJWTKNHY9NS9f5Cq3OPs4pQ==
No reply for signature
Auth likely failed
firehose
firehose - [LIB]: Error on EDL Authentification```

[Dinolek]

Sweet prog_ufs_firehose_sm7150_ddr.elf has this check: if (strlen(&token) == 0), so it's not going to work

[David112x]

Do you know if sweet's firehose from the engineering ROM also has that check?

[Dinolek]

eng loader has same check, device should replay with "Blob should init first"

[team-orangeBlue]

Just as I was about to say that "it failed!"..

anyway:

python3 edl nop --loader='/home/ubuntu/Downloads/prog_ufs_firehose_sm7150_ddr.elf'
Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2024.
main - Using loader /home/ubuntu/Downloads/prog_ufs_firehose_sm7150_ddr.elf ...
main - Waiting for the device
main - Device detected :)
sahara - Protocol version: 2, Version supported: 1
main - Mode detected: sahara
sahara - 
Version 0x2
------------------------
HWID:              0x000e60e100720000 (MSM_ID:0x000e60e1,OEM_ID:0x0072,MODEL_ID:0x0000)
CPU detected:      "SM7150"
PK_HASH:           0x1bebe3863a6781db4b01086063007334de9e5ca14971c7c4f4358ec9d79cda4692ce5e948c6fd409408f4c919fcadfe3
Serial:            0x179247ff

sahara - Protocol version: 2, Version supported: 1
sahara - Uploading loader /home/ubuntu/Downloads/prog_ufs_firehose_sm7150_ddr.elf ...
sahara - 64-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.
main - Trying to connect to firehose loader ...
firehose - INFO: ufs: SKhynix
firehose - INFO: Binary build date: Apr 25 2021 @ 11:28:35
firehose - INFO: Binary build date: Apr 25 2021 @ 11:28:35 
firehose - INFO: Chip serial num: 395462655 (0x179247ff)
firehose - INFO: Supported Functions (15):
firehose - INFO: program
firehose - INFO: read
firehose - INFO: nop
firehose - INFO: patch
firehose - INFO: configure
firehose - INFO: setbootablestoragedrive
firehose - INFO: erase
firehose - INFO: power
firehose - INFO: quick_reset
firehose - INFO: firmwarewrite
firehose - INFO: getstorageinfo
firehose - INFO: benchmark
firehose - INFO: emmc
firehose - INFO: ufs
firehose - INFO: fixgpt
firehose - INFO: End of supported functions 15
firehose_client
firehose_client - [LIB]: No --memory option set, we assume "UFS" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
firehose - Xiaomi EDL Auth detected.
firehose
firehose - [LIB]: ERROR: Only nop and sig tag can be recevied before authentication.
If you want to use your own signature, enter Y, otherwise enter N: y
Enter path to your EDL signature: /home/ubuntu/Downloads/EDL1.sig
Requested auth
Request accepted
Sent data
firehose
firehose - [LIB]: Error on EDL Authentification
ubuntu@ubuntu:~/edl$ python3 edl nop --loader='/home/ubuntu/Downloads/prog_ufs_firehose_sm7150_ddr.elf'
Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2024.
main - Using loader /home/ubuntu/Downloads/prog_ufs_firehose_sm7150_ddr.elf ...
main - Waiting for the device
main - Device detected :)
main - Mode detected: firehose
firehose
firehose - [LIB]: ERROR: Only nop and sig tag can be recevied before authentication.
If you want to use your own signature, enter Y, otherwise enter N: n
Requested auth
Request accepted
Sent data
firehose
firehose - [LIB]: Error on EDL Authentification

Here's the engineering loader itself. A bit smaller. Change extension so that it's an elf.
prog_ufs_firehose_sm7150_ddr.txt

So we know that the poco X3 that started with android 10 has the bug but the rn10p on a11 doesn't. Good baseline but more confirmation needed for "phones older are flawed, phones newer aren't".

[starsunyzl]

PR #569
Tested on Mi 9, not working. However, it works with some paid tools, it should be the same solution.

RX:<?xml version="1.0" encoding="UTF-8" ?>
RX:<data>
RX:<log value="ERROR: Blob should init first." /></data>

[team-orangeBlue]

I'd hotspot the host PC to another PC that has wireshark running and then sniff the wifi.

As for serial... Not exactly sure.

[David112x]

I'd hotspot the host PC to another PC that has wireshark running and then sniff the wifi.

As for serial... Not exactly sure.

https://github.com/fjovine/SerialSniffer

[David112x]

Crikey...
I really wanna know how things like unlocktool approach this. Putting a wireshark and a serial logger somewhere should be easy. $25/3mo is cheap, but I need to justify my purchase in part.

UnlockTool has anti-logger/monitor feature, so maybe you need to do some work to bypass it. I purchased UnlockTool, but I'm not working on it right now, maybe later.

Does it have some sort of anti VM? if not then it should be workable.

[mouseos]

Crikey...
I really wanna know how things like unlocktool approach this. Putting a wireshark and a serial logger somewhere should be easy. $25/3mo is cheap, but I need to justify my purchase in part.

UnlockTool has anti-logger/monitor feature, so maybe you need to do some work to bypass it. I purchased UnlockTool, but I'm not working on it right now, maybe later.

USB over network can also be used to capture USB.
Install usb over network client on the PC with unlocktool, and install usb over network server and usbpcap on the other PC.

[team-orangeBlue]

What exactly do you suggest? The site tells you to remove flexihub, which is a USB mirroring tool.

[David112x]

Well, seeing what has happened so far, I think we can count out the Mi 9, the Mi 9T, the Redmi Note 10 Pro and the Mi 11 Lite 4G.

The Redmi Note 9S/9 Pro on the other hand is very likely to be vulnerable and the reason why I believe so is because that device and the Poco X3 NFC seem to share the same firmware to some extent, seeing how ABL/LinuxLoader has references for their codenames and such.

To me, it's kinda weird that LinuxLoader has such references on devices that are different in a lot of ways, but that's just ABL, not XBL.

[moha2508]

Pls bro how to sand auth.sig

[moha2508]

Am tasted note 10 pro and note work

[team-orangeBlue]

We already know that. The task is to figure out if there's anything that can be done to simulate things properly. The X3 fell short, after all.

[atharva288]

Iam ready to test this on redmi note 9s, I just need a Lil bit of guide on how to

[jroovy]

#568 (comment)

as there are 3 signatures and it isn't known which of them work for specific SoCs, what is known is that one of those 3 keys work on the following SoCs

Where is the 3rd signature? I only see 2.
The 2 signatures don't work on my Poco X3 Pro.
I'd like to test the 3rd signature if available.

[jroovy]

Hi, the auth signatures are listed inside this file:
ec43594

[0v3rfl00w]

Unfortunately the signatures didn't work with my poco X3 pro :(

[0v3rfl00w]

@David112x would you please share the signature files if possible , i will test with my poco x3 pro
Thanks :)